Validation of Cloud Security Policies

ABSTRACT

Methods and systems for validating security policy in a cloud computing environment are provided. An example method includes providing a graph database, the graph database representing workloads of the cloud computing environment as nodes and relationships between the workloads as edges, receiving a security policy, the security policy logically describing rules for the relationships between the workloads, determining, based on the security policy and the graph database, a list of violations, the list of violations including at least one relationship from the relationships between the workloads in the graph database, the at least one relationship being not allowed by at least one of the rules in the security policy, and providing the list of violations to a user.

CROSS-REFERENCE TO RELATED APPLICATION

The present application is related to U.S. patent application Ser. No.______ (Attorney Docket No. PA9273US) filed ______, titled “CloudSecurity Management”. The subject matter of the aforementionedapplication is incorporated herein by reference for all purposes.

FIELD OF THE INVENTION

The present technology pertains to communications networks, and morespecifically to security in cloud computing environments.

BACKGROUND ART

The approaches described in this section could be pursued but are notnecessarily approaches that have previously been conceived or pursued.Therefore, unless otherwise indicated, it should not be assumed that anyof the approaches described in this section qualify as prior art merelyby virtue of their inclusion in this section.

Due to the extensive use of computer networks by enterprises, there hasbeen a dramatic rise in network attacks, a proliferation of computerviruses, and a constant distribution of other types of malicious contentthat attempts to attack, infect, or otherwise infiltrate the computernetworks. Attackers breach internal networks and public clouds to stealcritical data. For example, attackers target low-profile assets to enterthe internal network. Inside the internal network and public clouds, andbehind the hardware firewall, attackers move laterally across theinternal network, exploiting East-West traffic flows, to criticalenterprise assets. Once there, attackers siphon off valuable company andcustomer data.

SUMMARY OF THE INVENTION

This summary is provided to introduce a selection of concepts in asimplified form that are further described in the Detailed Descriptionbelow. This summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used as an aid in determining the scope of the claimed subjectmatter.

The present disclosure is related to various methods and systems forvalidating security policy in a cloud computing environment.Specifically, a method for validating security policy in a cloudcomputing environment may include providing a graph database. The graphdatabase may represent workloads of the cloud computing environment asnodes and relationships between the workloads as edges. The method mayinclude receiving a security policy. The security policy may logicallydescribe rules for the relationships between the workloads. The methodmay include determining, based on the security policy and the graphdatabase, a list of violations. The list of violations may include atleast one relationship from the relationships between the workloads inthe graph database such that the relationship is not allowed by at leastone of the rules in the security policy. The method may further includeproviding the list of violations to a user.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments are illustrated by way of example, and not by limitation, inthe figures of the accompanying drawings, in which like referencesindicate similar elements and in which:

FIG. 1 is a simplified block diagram of a cloud computing environment,according to some embodiments.

FIG. 2 is a simplified block diagram of a system for cloud securitymanagement, according to various embodiments.

FIG. 3 depicts simplified graph of a cloud computing environment, inaccordance with some embodiments.

FIG. 4A shows another graph of a cloud computing environment and FIG. 4Bdepicts a graph of an application, in accordance with variousembodiments.

FIG. 5 is a simplified flow diagram of a method for cloud securitymanagement, according to some embodiments.

FIG. 6 is a simplified block diagrams showing functionality of a protectin a cloud security management, according to some embodiments.

FIG. 7 is a simplified flow diagram of a method for validating securitypolicy in a cloud computing environment, according to some embodiments.

FIG. 8 is a simplified block diagram of a computing system, according tovarious embodiments.

DETAILED DESCRIPTION

While this technology is susceptible of embodiment in many differentforms, there is shown in the drawings and will herein be described indetail several specific embodiments with the understanding that thepresent disclosure is to be considered as an exemplification of theprinciples of the technology and is not intended to limit the technologyto the embodiments illustrated. The terminology used herein is for thepurpose of describing particular embodiments only and is not intended tobe limiting of the technology. As used herein, the singular forms “a,”“an,” and “the” are intended to include the plural forms as well, unlessthe context clearly indicates otherwise. It will be further understoodthat the terms “comprises,” “comprising,” “includes,” and/or“including,” when used in this specification, specify the presence ofstated features, integers, steps, operations, elements, and/orcomponents, but do not preclude the presence or addition of one or moreother features, integers, steps, operations, elements, components,and/or groups thereof. It will be understood that like or analogouselements and/or components, referred to herein, may be identifiedthroughout the drawings with like reference characters. It will befurther understood that several of the figures are merely schematicrepresentations of the present technology. As such, some of thecomponents may have been distorted from their actual scale for pictorialclarity.

FIG. 1 shows cloud computing environment 100 including workloads 110_(1,1)-110 _(X,Y), according to some embodiments. Cloud computingenvironment 110 provides on-demand availability of computer systemresources, such as data storage and computing power. Cloud computingenvironment 110 can physically reside in one or more data centers and/orbe physically distributed over multiple locations. Cloud computingenvironment 110 can be hosted by more than one cloud service, such asthose provided by Amazon, Microsoft, and Google. Cloud computingenvironment 110 can be limited to a single organization (referred to asan enterprise cloud), available to many organizations (referred to as apublic cloud) or a combination of both (referred to as a hybrid cloud).Examples of public clouds include Amazon Web Services (AWS), MicrosoftAzure, and Google Cloud Platform (GCP).

Each of workloads 110 _(1,1)-110 _(X,Y) can be a unit of computingresource, such as a physical computing system (also referred to as abare metal server), virtual machine, container, pod, and combinationsthereof. A physical computing system is computer hardware and not avirtual computing system, such as a virtual machine and container. Inaddition to running operating systems and applications, physicalcomputing systems can be the hardware that virtual computing systems runon.

A virtual machine provides a substitute for a physical computing system,including functionality to execute entire operating systems. Virtualmachines are created and run by a hypervisor or virtual machine monitor(VMM). A hypervisor is computer software or firmware which can run onworkloads 110 _(1,1)-110 _(X,Y). A hypervisor uses native execution toshare and manage hardware, allowing for multiple environments which areisolated from one another, yet exist on the same physical computingsystem.

Containers are an operating system-level virtualization method fordeploying and running distributed applications without launching anentire virtual machine for each application. Containers can look likephysical computing systems from the point of view of programs running inthem. Generally, a computer program running on an operating system cansee all resources (e.g., connected devices, files and folders, networkshares, CPU power, etc.) of that physical computing system. However,programs running inside a container can only see the container'scontents and devices assigned to the container. A pod is a group ofcontainers with shared storage and/or network resources, and a sharedspecification for how to run the containers.

A container is an instance of an image. An image can be a file,comprised of multiple layers, with information to create a complete andexecutable version of an application. Containers can be arranged,coordinated, and managed—including means of discovery and communicationsbetween containers—by container orchestration (e.g., Docker Swarm®,Kubernetes®, Amazon EC2 Container Service (ECS), Diego, Red HatOpenShift, and Apache® Mesos™). In contrast to hypervisor-basedvirtualization, containers may be an abstraction performed at theoperating system (OS) level, whereas virtual machines are an abstractionof physical hardware.

Typically, workloads 110 _(1,1)-110 _(X,Y) of cloud computingenvironment 100 individually and/or collectively run applications and/orservices. Applications and/or services are programs designed to carryout operations for a specific purpose. By way of non-limiting example,applications can be a database (e.g., Microsoft SQL Server®, MongoDB,Hadoop Distributed File System (HDFS), etc.), email server (e.g.,Sendmail®, Postfix, qmail, Microsoft® Exchange Server, etc.), messagequeue (e.g., Apache® Qpid™, RabbitMQ®, etc.), web server (e.g., Apache®HTTP Server™, Microsoft© Internet Information Services (IIS), Nginx,etc.), Session Initiation Protocol (SIP) server (e.g., Kamailio® SIPServer, Avaya® Aura® Application Server 5300, etc.), other media server(e.g., video and/or audio streaming, live broadcast, etc.), file server(e.g., Linux server, Microsoft® Windows Server®, etc.), service-orientedarchitecture (SOA) and/or microservices process, object-based storage(e.g., Lustre®, EMC® Centera®, Scality® RING®, etc.), directory service(e.g., Microsoft® Active Directory®, Domain Name System (DNS) hostingservice, etc.), and the like.

Physical computing systems and cloud computing environments aredescribed further in relation to FIG. 6.

FIG. 2 shows system 200 for cloud security management, according to someembodiments. System 200 includes controller 210. Controller 210 canreceive streaming telemetry 275 from network logs 270, events 285 fromcloud control plane 280, and inventory 295 from configuration managementdatabase (CMDB) 290.

Network logs 270 can be data sources such as flow logs from cloudservices 260 ₁-260 _(Z) (e.g., Amazon Web Services (AWS), MicrosoftAzure, and Google Cloud Platform (GCP)), vArmour DSS DistributedSecurity System, Software Defined Networking (SDN) (e.g., VMware NSX andCisco Application Centric Infrastructure (ACI)), monitoring agents(e.g., Tanium Asset and Falco) and the like. Generally, streamingtelemetry 275 can be low-level data about relationships betweenapplications. Streaming telemetry 275 can include 5-tuple, layer 7(application layer) process information, management plane logs, and thelike. 5-tuple refers to a set of five different values that comprise aTransmission Control Protocol/Internet Protocol (TCP/IP) connection: asource IP address/port number, destination IP address/port number andthe protocol in use. Streaming telemetry can alternatively oradditionally include a volume of data (i.e., how much data is or howmany data packets are) exchanged between workloads (e.g., workloads 110_(1,1)-110 _(X,Y) in FIG. 1) in a network, (dates and) times at whichcommunications (e.g., data packets) are exchanged between workloads, andthe like.

Cloud control plane 280 establishes and controls the network andcomputing resources within a cloud computing environment (e.g., cloudcomputing environment 100 in FIG. 1). Cloud control plane 280 caninclude interfaces for managing assets (e.g., launching virtual machinesand/or containers, configuring the network, etc.) in a cloud computingenvironment. For example, cloud control plane 280 can include one ormore instances of container orchestration, such as Docker Swarm®,Kubernetes®, Amazon EC2 Container Service (ECS), Diego, and Apache®Mesos™. By way of further non-limiting example, cloud control plane 280can include VMware vSphere, application programming interfaces (APIs)provided by cloud services 260 ₁-260 _(Z), and the like.

Events 285 can include information about a container (and/or a pod)being created, having a state change, having an error, and the like. Forexample, when a container is created, information about the workloadsuch as a service name, image deployed, and the like can be received inevents 285. By way of further example, additional information from animage registry corresponding to the deployed image can be gathered bycontroller 210.

Configuration management database (CMDB) 290 can be a database ofinformation about the hardware and software components (also known asassets) used in a cloud computing environment (e.g., cloud computingenvironment 100 in FIG. 1) and relationships between those componentsand business functions. CMDB 290 can include information about upstreamsources or dependencies of components, and the downstream targets ofcomponents. For example, inventory 295 can be used to associate anapplication name and other information (e.g., regulatory requirements,business unit ownership, business criticality, and the like) with theworkload (e.g., workloads 110 _(1,1)-110 _(X,Y) in FIG. 1) it is runningon.

Streaming telemetry 275, events 285, and inventory 295 can be ingestedby graph 220. Graph 220 normalizes information received in streamingtelemetry 275, events 285, and inventory 295 into a standard data formatand/or model, graph database 225. Graph database 225 uses a graph datamodel comprised of nodes (also referred to as vertices), which is anentity such as a workload (e.g., of workloads 110 _(1,1)-110 _(X,Y) inFIG. 1), and edges, which represent the relationship between two nodes.Edges can be referred to as relationships. An edge can have a startnode, end node, type, and direction, and an edge can describeparent-child relationships, actions, ownership, and the like. Incontrast to relational databases, relationships are (most) important ingraph database 225. In other words, connected data is equally (or more)important than individual data points.

Conventionally, security management systems stored raw logs of each andevery individual communication between workloads. The amount of datascaled linearly and consumed massive amounts of storage. In contrast,streaming telemetry 275, events 285, and inventory 295, graph 220 (FIG.2) can be used by graph 220 to create and update graph (database) 300.The individual communications are not stored. In this way, graphdatabase 225 is advantageously scalable. For example, graph database 225for a large cloud computing environments of 30,000-50,000 workloads canbe stored in memory of a workload (e.g., of workloads 110 _(1,1)-110_(X,Y) in FIG. 1).

FIG. 3 depicts (simplified) graph (database) 300 of a cloud computingenvironment, according to various embodiments. Graph 300 is a simplifiedexample, purely for illustrative purposes, of a graph in graph database225 (FIG. 2). Graph 300 can include three workloads (e.g., of workloads110 _(1,1)-110 _(X,Y) in FIG. 1): node 310, node 330, and node 350. Asshown in FIG. 3, edge (relationship) 320 is between nodes 310 and 330have; edge (relationship) 340 is between nodes 330 and 350; edge(relationship) 360 is between nodes 350 and 310.

Using streaming telemetry 275, events 285, and inventory 295, graph 220(FIG. 2) can determine information 335 about node 330. By way ofnon-limiting example, information 335 can include an application name,application function, business organization (e.g., division within acompany), realm (e.g., production system, development system, and thelike), (geographic) location/zone, and other metadata. Moreover, usinglayer 7 information (when available), the name of the database can bedetermined.

Referring back to FIG. 2, graph 220 can employ various techniques tomanage entropy. In a cloud computing environment (e.g., cloud computingenvironment 100 in FIG. 1), entropy is change to the workloads (e.g.,created and removed), communications among workloads (e.g., whichworkloads communicate with other workloads), applications and servicesprovided in the network, and the like. Typically in a (closed)enterprise cloud, entropy is low. For example, after monitoring anenterprise cloud for one month, another month of monitoring will reveallittle that is new.

On the other hand, a web server connected to the Internet will have highentropy, because the number of relationships (connections) to clients onthe Internet (nodes) is huge and continues to grow. To protect the sizeof graph database 225, graph 220 can recognize when there is highentropy and summarize the nodes. For example, the vast (and growing)number of clients on the Internet is represented by a single “Internet”object with one edge to the web server node.

According to some embodiments, a new relationship can be created arounda particular node in graph database 225, as streaming telemetry 275,events 285, and inventory 295 are processed by graph 220. Graph 220(FIG. 2) can further re-analyze the edges (relationships) connected tothe particular node, to classify what the particular node is. Forexample, if the node accepts database client connections from systemsthat are known to be application servers, then graph 220 may classifythe node as a database management system (i.e., a certain group).Classification criteria can include heuristic rules. Graph 220 can usemachine learning algorithms and measure how close a particular node isto satisfying conditions for membership in a group. Classification isdescribed further in U.S. Pat. No. 10,264,025 issued Apr. 16, 2019,titled “Security Policy Generation for Virtualization, Bare-MetalServer, and Cloud Computing Environments,” which is hereby incorporatedby reference for disclosure of classification.

Visualize 230 can visually present information from graph database 225to users according to various criteria, such as by application,application type, organization, and the like. FIGS. 4A and 4B showexample visual presentations 400A and 400B, respectively, in accordancewith some embodiments.

Visualize 230 can visually organize information from graph database 225.In some embodiments, nodes that behave similarly can be clusteredtogether (i.e., be put in a cluster). For example, when two nodes havesimilar edges (relationships) and behave in a similar fashion (e.g., runthe same application, are associated with the same organization, and thelike), the two nodes can be clustered together. Nodes that are clusteredtogether can be visually presented as a shape (e.g., circle, rectangle,and the like) which denotes that there are a certain number of workloadsfulfilling the same function, instead of presenting a shape for eachworkload in the cluster.

In various embodiments, visualize 230 can detect and presentcommunities. Communities are workloads (e.g., of workloads 110_(1,1)-110 _(X,Y) in FIG. 1) that have a close set of edges(relationships). The constituent workloads of a community do not have tobe the same—they can each perform different functions, such as webserver, database server, application server, and the like—but theworkloads are densely connected. In other words, the nodes communicatewith each other often and in high volume. Workloads in a community actcollectively to perform an application, service, and/or businessfunction. Instead of displaying a shape (e.g., circle, rectangle, andthe like) for each of the hundreds or thousands of workloads in acommunity, the community can be represented by a single shape denotingthe application performed, the number of constituent workloads, and thelike.

Protect 240 can use information in the graph database 225 to designsecurity policies. Security policies can implement security controls,for example, to protect an application wherever it is in a cloudcomputing environment (e.g., cloud computing environment 100 in FIG. 1).A security policy can specify what is to be protected (“nouns”), forexample, applications run for a particular organization. A securitypolicy can further specify a security intent (“verbs”), that is, how toprotect. For example, a security intent can be to implement Payment CardIndustry Data Security Standard (PCI DSS) network segmentationrequirements (a regulatory requirement), implement a security bestpractices for databases, implement a whitelist architecture, and thelike. By way of further example, a security intent can be specified in atemplate by a user (responsible for system administration, security, andthe like).

Nouns and verbs can be described in a security template. A securitytemplate can include logic about how to process information in graphdatabase 225 relating to workloads having a particular label/selection(nouns). Labels can be provided by logs 270 (e.g., layer 7 information),cloud control planes 280 (e.g., container orchestration), and CMDB 290.Protect 240 uses a security template to extract workloads to beprotected (nouns) from graph database 225. Protect 240 further applieslogic in the security template about how to protect the workloads(verbs) to produce a security policy. In various embodiments, securitytemplates are JavaScript Object Notation (JSON) documents, documents inJinja (or Jinja2), YAML Ain't Markup Language (YAML) documents, OpenPolicy Agent (OPA) rules, and the like. Jinja and Jinja2 are a webtemplate engine for the Python programming language. YAML is ahuman-readable data-serialization language. OPA is an open source,general-purpose policy engine that enables unified, context-aware policyenforcement. Security templates are described further in U.S. patentapplication Ser. No. ______ (Attorney Docket No. PA9274US) filed ______,titled “Template-Driven Intent-Based Security,” which is herebyincorporated by reference for disclosure of generating a security policyusing security templates.

Protect 240 can produce multiple security policies, each reflectingindependent pieces of security logic that can be implemented by protect240. In various embodiments, security policies are JavaScript ObjectNotation (JSON) documents which are described to a user (responsible forsystem administration, security, and the like) in natural language. Anatural language is any language that has evolved naturally in humansthrough use and repetition without conscious planning or premeditation.Natural language can broadly be defined in contrast to artificial orconstructed languages such as computer programming languages. Themultiple security policies can be placed in an order of precedence toresolve potential conflicts. Visualize 230 can be used to visualize thesecurity policy (or security policies), showing the workloads protected,permitted relationships, and prohibited relationships. Protect 240 canthen be used to edit the security policy. For example, there can be aprimary and backup server (e.g., of workloads 110 _(1,1)-110 _(X,Y) inFIG. 1). The backup server may have never been used and may not have thesame edges (relationships) as the primary server in graph database 225.The security policy can be edited to give the backup server the samepermissions as the primary server.

Protect 240 can validate a security policy. The security policy can besimulated using graph database 225. For example, a simulation can reportwhich applications are broken (e.g., communications among nodes neededby the application to operate are prohibited) by the security policy,are unnecessarily exposed by weak policy, and the like. Security policyvalidation is described further in U.S. patent application Ser. No.______ (Attorney Docket No. PA9275US) filed ______, titled “Validationof Cloud Security Policies,” which is incorporated by reference hereinfor disclosure of security policy validation.

Protect 240 can test a security policy. Protect can use historical datain graph database 225 to determine entropy in the cloud computingenvironment (e.g., cloud computing environment 100 in FIG. 1). Forexample, when a cloud computing environment first starts up, there areinitially numerous changes as workloads are brought online andcommunicate with each other, such that entropy is high. Over time, thecloud computing environment becomes relatively stable with few changes,so entropy becomes low. In general, security policies are less reliablewhen entropy is high. Protect 240 can determine a level of entropy inthe cloud computing environment and produce a reliability score andrecommendation for the security policy. Security policy testing isdescribed further in U.S. patent application Ser. No. ______ (AttorneyDocket No. PA9276US) filed ______, titled “Reliability Prediction forCloud Security Policies,” which is incorporated by reference herein fordisclosure of security policy reliability prediction.

Protect 240 can deploy a security policy (or security policies). Thesecurity policy is deployed as needed in one or more cloud computingenvironments of cloud services 260 ₁-260 _(Z) (e.g., Amazon Web Services(AWS), Microsoft Azure, and Google Cloud Platform (GCP)), vArmour DSSDistributed Security System, VMware NSX, and the like). Protect 240 canprovide the security policy to one or more of cloud drivers 250 ₁-250_(Z). Cloud drivers 250 ₁-250 _(Z) maintain an inventory and topology(i.e., current state) of the workloads in the cloud computingenvironments hosted by cloud services 260 ₁-260 _(Z), respectively.Cloud drivers 250 ₁-250 _(Z) can use their respective inventory andtopology to apply the security policy to the appropriate workloads, andrespond immediately to changes in workload topology and workloadplacement.

Cloud drivers 250 ₁-250 _(Z) can serve as an interface between protect240 (having a centralized security policy) and cloud services 260 ₁-260_(Z). In other words, cloud drivers 250 ₁-250 _(Z) implement thesecurity policy using the different facilities (e.g., applicationprogramming interfaces (APIs)) and capabilities available from cloudservices 260 ₁-260 _(Z). For example, each of cloud services 260 ₁-260_(Z) can have different syntax and semantics for implementing securitycontrols. Moreover, each of cloud services 260 ₁-260 _(Z) can havedifferent security capabilities (e.g., communications/connectionsbetween workloads can only be expressly permitted and not expresslyprohibited), rule capacity (limit on the number of rules), optimizationmethods, and the like.

Cloud drivers 250 ₁-250 _(Z) can maintain the integrity of the securitypolicy in the cloud computing environments hosted by cloud services 260₁-260 _(Z) (referred to as the “cloud”). Cloud drivers 250 ₁-250 _(Z)can check that the security policy actually deployed in the cloud is asit should be, using the security policy's JSON source. When the securitypolicy deployed in the cloud does not comport with the centralizedsecurity policy—such as when a bad actor logs into one of the cloudservices and removes all the security rules—the responsible cloud driver(of cloud drivers 250 ₁-250 _(Z)) can re-deploy the security policyand/or raise an operational alert. Where supported, cloud services 260₁-260 _(Z) can notify the respective cloud driver (of cloud drivers 250₁-250 _(Z)) of changes to the topology and/or configuration. Otherwise,the respective cloud driver (of cloud drivers 250 ₁-250 _(Z)) can pollthe cloud service (cloud services 260 ₁-260 _(Z)) to ensure the securityrules are in place.

As described above, a security policy can be pushed down to the cloudcomputing environments hosted by cloud services 260 ₁-260 _(Z) usingcloud drivers 250 ₁-250 _(Z), respectively. Additionally oralternatively, as new data comes into graph 220 as network logs 270,events 285 from cloud control plane 280, and inventory 295, protect 240can check the new data against the security policy to detect violationsand or drift (e.g., change in the environment and/or configuration).

Protect 240 can dynamically update a security policy as changes occur inthe cloud computing environments hosted by cloud services 260 ₁-260_(Z). For example, when a container (or pod) is deployed by containerorchestration, it can be given a label, and cloud control plane 290reports a container is deployed (as event 295). Labels can be predefinedto specify identifying attributes of containers (and pods), such thecontainer's application function. When the label corresponds to anattribute covered by an active (deployed) security policy, protect 240can dynamically add the new container to the active security policy (asa target). For example, when a pod is deployed for a particularorganization and there is an active policy for that organization, thenew workload is added to the security policy. Similarly, when acontainer is killed, the workload is removed from the security policy.Dynamically updating security policy is described further in U.S. Pat.No. 9,521,115 issued Dec. 13, 2016, titled “Security Policy GenerationUsing Container Metadata,” which is hereby incorporated by reference fordisclosure of dynamically updating security policy.

FIG. 5 shows method 500 for managing cloud security, according to someembodiments. Method 500 can be performed by system 200 (FIG. 2),including controller 210. Method 500 can commence at step 510 where datafrom a cloud computing environment (e.g., cloud computing environment100 in FIG. 1) can be received. For example, graph 220 (FIG. 2) canreceive streaming telemetry 275 from network logs 270, events 285 fromcloud control plane 280, and inventory 295 from configuration managementdatabase (CMDB) 290.

At step 520, a graph database can be created or updated using the clouddata. For example, streaming telemetry 275, events 285, and inventory295 (FIG. 2) can be normalized into a standard data format and stored ingraph database 225.

At step 530, a visual representation of the cloud computing environmentas modeled by the graph database can be provided. For example, visualize230 (FIG. 2) can present a graph using data in graph database 225. Insome embodiments, nodes (representing workloads in the cloud computingenvironment) can be clustered and/or placed in communities for visualclarity.

At step 540, a security template can be received. A security templatecan include logic about how to extract information from graph database225 to identify workloads to be targets of a security policy. Inaddition, a security template can specify how the workloads are to beprotected (e.g., security intent).

At step 550, a security policy can be created. For example, protect 240can use the security template to extract information from graph database225 (FIG. 2) to produce a security policy for the security intent of thesecurity template.

At step 560, the security policy can be validated. For example, protect240 (FIG. 2) test the security policy against a historical data setstored in graph database 225. Protect 240 can generate a report aroundthe risks and implications of the security policy being implemented.

At step 570, the security policy can be tested. For example, protect 240(FIG. 2) can measure entropy and a rate of change in the data set storedgraph database 225 to predict—when the security policy is deployed—thecloud computing environment (e.g., cloud computing environment 100 inFIG. 1) will change such that applications and/or services will break(e.g., be prevented from proper operation by the security policy).

At step 580, the security policy can be deployed to the cloud computingenvironment (e.g., cloud computing environment 100 in FIG. 1). Forexample, cloud drivers 250 ₁-250 _(Z) can produce requests,instructions, commands, and the like which are suitable for and acceptedby cloud services 260 ₁-260 _(Z) (respectively) to implement thesecurity policy in the cloud computing environments hosted by cloudservices 260 ₁-260 _(Z) (respectively).

Optionally at step 580, the security policy can be maintained. Forexample, cloud drivers 250 ₁-250 _(Z) can make sure the security policyremains in force at the cloud computing environment hosted by arespective one of cloud services 260 ₁-260 _(Z). Optionally at step 580,the security policy can be dynamically updated as workloads subject tothe deployed security policy are deployed and/or killed.

Although steps 510-580 are shown in a particular sequential order,various embodiments can perform steps 510-580 in different orders,perform some of steps 510-580 concurrently, and/or omit some of steps510-580.

FIG. 6 is a simplified block diagram 600 showing functionality ofprotect 240 in cloud security management 200, according to someembodiments. The cloud security management 200 and the protect 240 isdescribed in FIG. 2.

The protect 240 may receive a security policy 610. The security policymay include one or more rules for relationship between workloads 110_(1,1)-110 _(X,Y) of cloud computing environment 100. In someembodiments, the security policy may include JSON documents. Themultiple security policies can be placed in order to resolve potentialconflicts. In example of FIG. 6, the security policy 610 includes a ruleallowing an HTTP service between a source workload A1 and a destinationworkload L1, a rule denying HTTPS service between source workload A2 anddestination workload L2. The security policy 610 may end with a rulethat denies any service between any source workload labeled with A andany destination workload labeled with L.

The security policy 630 can be generated based on a security intent ofthe security template. The security policy 630 can be created by users(operators) who deploy the security policy using the protect 240. Thesecurity policy 630 can be generated based on the security template andthen reviewed and edited by the users.

Before deploying the security policy 610 to the cloud computingenvironment 100, the protect 240 may simulate deployment of the securitypolicy 610 by applying the security policy 610 to the graph database225. Specifically, the protect 240 may traverse through the nodes andedges of the graph database 225 and determine edges that representservices between the workloads which are not allowed by the securitypolicy 610. The protect 240 may determine a type of service orconnection existing between two nodes representing two workloads in thegraph data base. The protect 240 may also determine a type of service orconnection between the two nodes that was present in one or moreprevious time snapshot of the graph database 225. The protect 240 mayfurther determine whether this type of service for these two nodes(workloads) is permitted according to the security policy 610. Inexample of FIG. 6, the graph database includes an HTTPS service betweenthe source workload A2 and the destination workload L2 which is notpermitted after the security policy 610 is deployed to the cloudcomputing environment 100.

Upon completion of traversing the graph database 225, the protect 240may generate list of violations 640. The list of violations 640 mayinclude a subset of nodes and edges in the graph database. Each entry ofthe list of violations 640 may represent a label for a first workloadand a label of a second workload and a type of service or connectionbetween the first workload and the second workload that is not allowedby the security policy 640 but present in the graph database 225. Thelist of violations 640 may be provided to the user. The entries from thelist of violations 640 can be displayed using a graphical representationin a form of the nodes representing workloads and the edges representingservice and connections between the workloads that are not allowed inthe security policy 610. Additionally, the entries from the list ofviolations 640 can be displayed in a table and in a JSON document.

The protect 240 may further receive, from the user, a user inputindicating either allowance or disallowance of a type of service orconnection for an entry from the list of violations. Upon receiving theuser input, the protect 240 may modify the security policy 610 based onthe user input. The protect 240 may further deploy the modified securitypolicy to the cloud computing environment.

FIG. 7 is a simplified flow diagram of a method for validating securitypolicies in a cloud computing environment, according to someembodiments. Method 700 can be performed by system 200 (FIG. 2),including controller 210.

Method 700 can commence at step 710 with providing a graph database. Thegraph database may represent workloads of the cloud computingenvironment (e.g., cloud computing environment 100 in FIG. 1) as nodesand relationships between the workloads as edges. The graph database canbe created and updated based on data concerning the cloud computingenvironment. The data may include streaming telemetry from network logs,events from a cloud control plane, and inventory from a configurationmanagement database.

At step 720, a security policy can be received. The security policy canlogically describe rules for the relationships between the workloads ofthe cloud computing environment. The security policy may include a JSONdocument. The security policy can be generated based on a securitytemplate. The security template may include protected workloads in thecloud computing environment. The security policy can be created by auser.

At step 730, a list of violations can be generated based on the securitypolicy and the graph database. The list of violations may include atleast one relationship from the relationships between the workloads inthe graph database such that this relationship is not allowed by atleast one of the rules of the security policy. The determination of thelist of violations may include simulating the security policy using thegraph database by traversing the nodes and edges in the graph database.While traversing the graph database, the determination of the list ofviolations may include determining a type of connection between at leasttwo of the nodes in the graph database and determining that the type ofconnection between these two nodes is not allowed by the rules of thesecurity policy.

At step 740, the list of violations can be provided to the user. Forexample, a visual representation of the nodes and edges of the graphdatabase can be displayed to the user. In the visual representation, theedges may represent relationships between workloads not allowed by therules of the security policy but present in the graph database.

At step 750, a user input can be received. The user input may indicateallowance or disallowance of a relationship that is not allowed by therules of the security policy but present the graph database.

At step 760, the security policy can be modified based on the userinput. The security policy can be then deployed to cloud computingenvironment.

FIG. 8 illustrates an exemplary computer system 800 that may be used toimplement some embodiments of the present invention. The computer system800 in FIG. 8 may be implemented in the contexts of the likes ofcomputing systems, networks, servers, or combinations thereof. Thecomputer system 800 in FIG. 8 includes one or more processor unit(s) 810and main memory 820. Main memory 820 stores, in part, instructions anddata for execution by processor unit(s) 810. Main memory 820 stores theexecutable code when in operation, in this example. The computer system800 in FIG. 8 further includes a mass data storage 830, portable storagedevice 840, output devices 850, user input devices 860, a graphicsdisplay system 870, and peripheral device(s) 880.

The components shown in FIG. 8 are depicted as being connected via asingle bus 890. The components may be connected through one or more datatransport means. Processor unit(s) 810 and main memory 820 are connectedvia a local microprocessor bus, and the mass data storage 830,peripheral device(s) 880, portable storage device 840, and graphicsdisplay system 870 are connected via one or more input/output (I/O)buses.

Mass data storage 830, which can be implemented with a magnetic diskdrive, solid state drive, or an optical disk drive, is a non-volatilestorage device for storing data and instructions for use by processorunit(s) 810. Mass data storage 830 stores the system software forimplementing embodiments of the present disclosure for purposes ofloading that software into main memory 820.

Portable storage device 840 operates in conjunction with a portablenon-volatile storage medium, such as a flash drive, floppy disk, compactdisk, digital video disc, or Universal Serial Bus (USB) storage device,to input and output data and code to and from the computer system 800 inFIG. 8. The system software for implementing embodiments of the presentdisclosure is stored on such a portable medium and input to the computersystem 800 via the portable storage device 840.

User input devices 860 can provide a portion of a user interface. Userinput devices 860 may include one or more microphones, an alphanumerickeypad, such as a keyboard, for inputting alphanumeric and otherinformation, or a pointing device, such as a mouse, a trackball, stylus,or cursor direction keys. User input devices 860 can also include atouchscreen. Additionally, the computer system 800 as shown in FIG. 8includes output devices 850. Suitable output devices 850 includespeakers, printers, network interfaces, and monitors.

Graphics display system 870 include a liquid crystal display (LCD) orother suitable display device. Graphics display system 870 isconfigurable to receive textual and graphical information and processesthe information for output to the display device.

Peripheral device(s) 880 may include any type of computer support deviceto add additional functionality to the computer system.

Some of the components provided in the computer system 800 in FIG. 8 canbe those typically found in computer systems that may be suitable foruse with embodiments of the present disclosure and are intended torepresent a broad category of such computer components. Thus, thecomputer system 800 in FIG. 8 can be a personal computer (PC), hand heldcomputer system, telephone, mobile computer system, workstation, tablet,phablet, mobile phone, server, minicomputer, mainframe computer,wearable, or any other computer system. The computer may also includedifferent bus configurations, networked platforms, multi-processorplatforms, and the like. Various operating systems may be used includingUNIX, LINUX, WINDOWS, MAC OS, PALM OS, QNX ANDROID, IOS, CHROME, andother suitable operating systems.

Some of the above-described functions may be composed of instructionsthat are stored on storage media (e.g., computer-readable medium). Theinstructions may be retrieved and executed by the processor. Someexamples of storage media are memory devices, tapes, disks, and thelike. The instructions are operational when executed by the processor todirect the processor to operate in accord with the technology. Thoseskilled in the art are familiar with instructions, processor(s), andstorage media.

In some embodiments, the computing system 800 may be implemented as acloud-based computing environment, such as a virtual machine operatingwithin a computing cloud. In other embodiments, the computing system 800may itself include a cloud-based computing environment, where thefunctionalities of the computing system 800 are executed in adistributed fashion. Thus, the computing system 800, when configured asa computing cloud, may include pluralities of computing devices invarious forms, as will be described in greater detail below.

In general, a cloud-based computing environment is a resource thattypically combines the computational power of a large grouping ofprocessors (such as within web servers) and/or that combines the storagecapacity of a large grouping of computer memories or storage devices.Systems that provide cloud-based resources may be utilized exclusivelyby their owners or such systems may be accessible to outside users whodeploy applications within the computing infrastructure to obtain thebenefit of large computational or storage resources.

The cloud is formed, for example, by a network of web servers thatcomprise a plurality of computing devices, such as the computing system800, with each server (or at least a plurality thereof) providingprocessor and/or storage resources. These servers manage workloadsprovided by multiple users (e.g., cloud resource customers or otherusers). Typically, each user places workload demands upon the cloud thatvary in real-time, sometimes dramatically. The nature and extent ofthese variations typically depends on the type of business associatedwith the user.

It is noteworthy that any hardware platform suitable for performing theprocessing described herein is suitable for use with the technology. Theterms “computer-readable storage medium” and “computer-readable storagemedia” as used herein refer to any medium or media that participate inproviding instructions to a CPU for execution. Such media can take manyforms, including, but not limited to, non-volatile media, volatile mediaand transmission media. Non-volatile media include, for example,optical, magnetic, and solid-state disks, such as a fixed disk. Volatilemedia include dynamic memory, such as system random-access memory (RAM).Transmission media include coaxial cables, copper wire and fiber optics,among others, including the wires that comprise one embodiment of a bus.Transmission media can also take the form of acoustic or light waves,such as those generated during radio frequency (RF) and infrared (IR)data communications. Common forms of computer-readable media include,for example, a floppy disk, a flexible disk, a hard disk, magnetic tape,any other magnetic medium, a CD-ROM disk, digital video disk (DVD), anyother optical medium, any other physical medium with patterns of marksor holes, a RAM, a programmable read-only memory (PROM), an erasableprogrammable read-only memory (EPROM), an electrically erasableprogrammable read-only memory (EEPROM), a Flash memory, any other memorychip or data exchange adapter, a carrier wave, or any other medium fromwhich a computer can read.

Various forms of computer-readable media may be involved in carrying oneor more sequences of one or more instructions to a CPU for execution. Abus carries the data to system RAM, from which a CPU retrieves andexecutes the instructions. The instructions received by system RAM canoptionally be stored on a fixed disk either before or after execution bya CPU.

Computer program code for carrying out operations for aspects of thepresent technology may be written in any combination of one or moreprogramming languages, including an object oriented programming languagesuch as JAVA, SMALLTALK, C++ or the like and conventional proceduralprogramming languages, such as the “C” programming language or similarprogramming languages. The program code may execute entirely on theuser's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider).

The corresponding structures, materials, acts, and equivalents of allmeans or step plus function elements in the claims below are intended toinclude any structure, material, or act for performing the function incombination with other claimed elements as specifically claimed. Thedescription of the present technology has been presented for purposes ofillustration and description, but is not intended to be exhaustive orlimited to the invention in the form disclosed. Many modifications andvariations will be apparent to those of ordinary skill in the artwithout departing from the scope and spirit of the invention. Exemplaryembodiments were chosen and described in order to best explain theprinciples of the present technology and its practical application, andto enable others of ordinary skill in the art to understand theinvention for various embodiments with various modifications as aresuited to the particular use contemplated.

Aspects of the present technology are described above with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computerreadable medium that can direct a computer, other programmable dataprocessing apparatus, or other devices to function in a particularmanner, such that the instructions stored in the computer readablemedium produce an article of manufacture including instructions whichimplement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer,other programmable data processing apparatus, or other devices to causea series of operational steps to be performed on the computer, otherprogrammable apparatus or other devices to produce a computerimplemented process such that the instructions which execute on thecomputer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present technology. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions.

The description of the present technology has been presented forpurposes of illustration and description, but is not intended to beexhaustive or limited to the invention in the form disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the invention.Exemplary embodiments were chosen and described in order to best explainthe principles of the present technology and its practical application,and to enable others of ordinary skill in the art to understand theinvention for various embodiments with various modifications as aresuited to the particular use contemplated.

What is claimed is:
 1. A computer-implemented method for validatingsecurity policy in a cloud computing environment, the method comprising:providing a graph database, the graph database representing workloads ofthe cloud computing environment as nodes and relationships between theworkloads as edges; receiving a security policy, the security policylogically describing rules for the relationships between the workloads;determining, based on the security policy and the graph database, a listof violations, the list of violations including at least onerelationship from the relationships between the workloads in the graphdatabase, the at least one relationship being not allowed by at leastone of the rules in the security policy; and providing the list ofviolations to a user.
 2. The computer-implemented method of claim 1,wherein the graph database is created and updated based on a dataconcerning the cloud computing environment, the data including at leastone of streaming telemetry from network logs, events from a cloudcontrol plane, and inventory from a configuration management database.3. The computer-implemented method of claim 1, wherein the securitypolicy is a programmatically readable document including one or more ofthe following: a JavaScript Object Notation document, a Language (YAML)document, and an Open Policy Agent (OPA) rules document.
 4. Thecomputer-implemented method of claim 1, wherein the security policy isgenerated based on a security template, the security template includingprotected workloads in the cloud computing environment.
 5. Thecomputer-implemented method of claim 1, wherein the security policy iscreated by the user based upon manually declared requirements.
 6. Thecomputer-implemented method of claim 1, wherein the determining the listof violations includes: traversing the nodes and the edges of the graphdatabase; and while traversing: determining a type of connection betweenat least two nodes; and determining that the type of connection betweenthe at least two nodes is not permitted by the rules of the securitypolicy.
 7. The computer-implemented method of claim 1, wherein theproviding the list of violations to the user includes: displaying avisual representation of the nodes and the edges of the graph database,wherein the edges correspond to connections not allowed by the at leastone of the rules in the security policy; or a tabular representationusing JSON.
 8. The computer-implemented method of claim 7, furthercomprising: receiving, from the user, a user input indicative ofallowing or disallowing the at the least one relationship not allowed bythe at least one of the rules of the security policy; and modifying thesecurity policy based on the user input.
 9. The computer-implementedmethod of claim 8, further comprising: deploying the security policy tothe cloud computing environment.
 10. The computer-implemented method ofclaim 1, wherein the cloud computing environment is hosted by aplurality of different cloud services.
 11. A system for managingsecurity in a cloud computing environment, the system comprising: aprocessor; and a memory communicatively coupled to the processor, thememory storing instructions executable by the processor to perform amethod comprising: providing a graph database, the graph databaserepresenting workloads of the cloud computing environment as nodes andrelationships between the workloads as edges; receiving a securitypolicy, the security policy logically describing rules for therelationships between the workloads; determining, based on the securitypolicy and the graph database, a list of violations, the list ofviolations including at least one relationship from the relationshipsbetween the workloads in the graph database, the at least onerelationship being not allowed by at least one of the rules in thesecurity policy; and providing the list of violations to a user.
 12. Thesystem of claim 11, wherein the graph database is created and updatedbased on a data concerning the cloud computing environment, the dataincluding at least one of streaming telemetry from network logs, eventsfrom a cloud control plane, and inventory from a configurationmanagement database.
 13. The system of claim 11, wherein the securitypolicy is a JavaScript Object Notation document.
 14. The system of claim11, wherein the security policy is generated based on a securitytemplate, the security template including protected workloads in thecloud computing environment.
 15. The system of claim 11, wherein thesecurity policy is created by the user.
 16. The system of claim 11,wherein the determining the list of violations includes: traversing thenodes and the edges of the graph database; and while traversing:determining a type of connection between at least two nodes; anddetermining that the type of connection between the at least two nodesis not permitted by the rules of the security policy.
 17. The system ofclaim 11, wherein the providing the list of violations to the userincludes: displaying a visual representation of the nodes and the edgesof the graph database, wherein the edges correspond to connections notallowed by the at least one of the rules in the security policy.
 18. Thesystem of claim 17, wherein the processor performs the method furthercomprising: receiving, from the user, a user input indicative ofallowing or disallowing the at the least one relationship not allowed bythe at least one of the rules of the security policy; and modifying thesecurity policy based on the user input.
 19. The system of claim 8,wherein the processor performs the method further comprising: deployingthe security policy to the cloud computing environment.
 20. Anon-transitory processor-readable medium having embodied thereon aprogram being executable by at least one processor to perform a methodfor validating security policy in a cloud computing environment, themethod comprising: providing a graph database, the graph databaserepresenting workloads of the cloud computing environment as nodes andrelationships between the workloads as edges; receiving a securitypolicy, the security policy logically describing rules for therelationships between the workloads; determining, based on the securitypolicy and the graph database, a list of violations, the list ofviolations including at least one relationship from the relationshipsbetween the workloads in the graph database, the at least onerelationship being not allowed by at least one of the rules in thesecurity policy; and providing the list of violations to a user.